1 / 23

Unicode/IDN Security

Unicode/IDN Security. Mark Davis President, Unicode Consortium Chief SW Globalization Arch., IBM. The Unicode Consortium. Software globalization standards: define properties and behavior for every character in every script Unicode Standard: a unique code for every character

donnelly
Download Presentation

Unicode/IDN Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unicode/IDN Security Mark DavisPresident, Unicode ConsortiumChief SW Globalization Arch., IBM

  2. The Unicode Consortium • Software globalization standards: define properties and behavior for every character in every script • Unicode Standard: a unique code for every character • Common Locale Data Repository: LDML format plus repository for required locale data • Collation, line breaking, regex, charset mapping, … • Used by every major modern operating system, browser, office software, email client,… • Core of XML, HTML, Java, C#, C (with ICU), Javascript, …

  3. Security ~ Identity System A X = x System B X ≠ x

  4. IDN • You get an email about your paypal.com account, click on the link… • You carefully examine your browser's address box to make sure that it is actually going to http://paypal.com/ … • But actually it is going to a spoof site: “paypal.com” with the Cyrillic letter “p”. • You (System A) think that they are the same • DNS (System B) thinks they are different

  5. Examples: Letters • Cross-Script • p in Latin vs p in Cyrillic • In-Script • Sequences • rn may appear at display sizes like m • अ + ा typically looks identical to आ • so̷slooks likesøs • Rendering Support • ä with two umlauts may look the same as ä with one • eḷ is actually e + l ̣

  6. Examples: Numbers Thus ৪୨ = 42

  7. Syntax Spoofing • http://example.org/1234/not.mydomain.com • http://example.org/1234/not.mydomain.com • / = fraction-slash Also possible without Unicode: • http://example.org--long-and-obscure-list-of-characters.mydomain.com

  8. UTR #36: Security Recommendations • General Security Issues (not just IDN) • V1 approved mid-2005; V2 in progress • http://unicode.org/draft/reports/tr36/tr36.html • Describes the problems, recommends best practices • Users • Programmers • User-Agents (browsers, email, office apps) • Registries • Registrars

  9. UTS #39: Security Mechanisms • Supplies data /algorithms for implementations • Restricted character repertoire: • Based on Unicode Identifier Profile • Intersect with current NamePrep • Characters → scripts, confusable characters Originally in UTR #36 Version 1; split out for clarity http://www.unicode.org/draft/reports/tr39/tr39.html

  10. Current NamePrep≠Unicode Identifiers U3.2Symbols (2,974) Non-Mod. (52,842) U3.2Alphanum*(37,200) U5.0Alphanum*(+2,810) a œ и שس௫ཀ ฎ अ ꀅ あ タ 入 ৫ 2 … ਁ ჹਃ ჺሇ ऄ ঽ… ℞ §♔ / ∞☃ ➥ √ … http://unicode.org/reports/tr36/idn-chars.html

  11. Restriction Levels* 2. Highly Restrictive • All characters from a single script, or from limited combinations: • Han + Hiragana + Katakana; Han + Bopomofo; or Han + Hangul • No characters in the identifier can be outside of the Identifier Profile • includes Letters, Numbers; excludes Symbols, Punctuation,… 3. Moderately Restrictive • Allow Latin with other scripts except Cyrillic, Greek, Cherokee: ip-アドレス.co.jp خدمة-rss.eg 4. Minimally Restrictive • Allow arbitrary mixtures of scripts: sony-βίντεο.gr xml-документы.ru игро-shop.com … * Subject also to restrictions on confusables

  12. ICANN Guidelines v2http://icann.org/general/idn-guidelines-14nov05.htm • Improvement on v1,…butneeds new revision: • Procedurally • Insufficient time for thorough review • The disposition (with rationale) of comments not available • Only single cycle of public review • Technically • Any specification needs a much clearer structure – the exact implications of a claim to adhere to the guidelines are currently impossible to measure, and useless for security • #3 (script/language limitations) has far too many loopholes. • #4 (symbols) is too permissive, and not well-defined • #5 (registration) should use the post-nameprep’ed form

  13. Guideline 3 (lang./script limitations) • Associate with script except with language and script, or except with set of languages, or except with “more than one designator” • Publish set of code points, define variant code points; indicate script/language. • Why language? (too fuzzy to be testable) • Why script? (derivable from characters) • Single script in label, except when language requires, except with mixed-script confusables, except with “policy & table” defined. • Who decides when required? • Allows single-script confusables. • All registry policies documented and publicly available, with table for each set of code points • Machine readable? Discursive description?

  14. Guideline 4 (disallowed symbols) • Line symbol-drawing characters (as those in the Unicode Box Drawing block) • One small set of the many symbols • Symbols and icons that are neither alphanumeric nor ideographic language characters, • Numbers? Combining Marks? Letter modifiers? Kana length mark? Ill-defined, untestable. • Characters with well-established functions as protocol elements • / is confusable with a “protocol element” but isn’t one. Ill-defined, untestable. • Punctuation marks used solely to indicate the structure of sentences • Em-dash? Who decides? Ill-defined, untestable. • Punctuation marks that are used within words except “essential to the language” & “associated with explicit prescriptive rules” • Ill-defined, untestable. • Except “under corresponding conditions, a single specified character may be used as a separator within a label, … by designating a functionally equivalent punctuation mark from within the script.” • Ill-defined, untestable.

  15. Guideline 5 (registration) • A registry will define an IDN registration in terms of both its Unicode and ASCII-encoded representations. • Should use output Unicode representation (after mapping and normalization): otherwise many more visually confusable characters are present • Should say “ACE”, not ASCII.

  16. Unicode Recommendations Precise Specification, Mechanically Testable: • Guideline 3 (script/language limitations) → • Publicly document the Restriction Level being enforced (≤ Level 4) • Publicly document the enforcement policy on confusables: whether any two domain names are allowed to be whole-script or mixed script confusables according to [UTR39]. • Guideline 4 (symbols) → • Only characters in IDN Security Profiles for Identifiers [UTR39]. • Guideline 5 (registration) → • Define an IDN registration in terms of its: • Nameprep-Normalized Unicode representation (output format) • ACE representation Work with IETF to update NamePrep to Unicode 5.0 (+)

  17. Backup Slides

  18. Agenda • Unicode Background • Security Issues

  19. Domain Names

  20. Non-Visual Attacks • Exploiting Expectations • Collation: • X < Y, so X + H < Y + H wrong • Casing: • len(X) = len(toUpper(X)) wrong • Encoding: • ‘/’ is always represented by 2F16wrong

  21. UAX #31: Identifier & Pattern Syntax • For identification of entities (programming variables, resources, domain names, ... • Appropriate characters -- stable across versions • Notall natural language words: • can’t • U.S.A. • ProvidesFoundation:specifications can “tailor” it for different environments: adding or removing characters.

  22. “StringPrep” Processing • Map A → a • Normalize c + ¸ → ç ㄱ +ㅏ → 가 カ → カ fi → f + i • Prohibit & / . , …

  23. UAX #15: Unicode Normalization Forms • Normalizes most visually confusable sequences to unique form c + ¸ → ç ㄱ +ㅏ → 가 カ → カ fi → f + i • Core part of StringPrep, other Identifier Profiles

More Related